Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

Hi guys.


Nice to meet you.


this app was protected by Shielden+DNGuard.


Have a try,If you got it,Describe how to do it,thanks...


sorry my poor english,sorry my chinglish !


 


((o(^_ ^)o))    ((o(^_ ^)o))    ((o(^_ ^)o))    ((o(^_ ^)o))


 


UnPackMe.rar

Edited by 381400744

Solved by Asif

Go to solution
  • Author

Giveng the people rose,the hand have lingering fragrance.


 


 


is there nobody? :snog:

Hi 381400744,

 

This application was protected by Shielden and Dnguard!

 

I've already unpacked the fist protector(Shielden),and this application is running now...

 

But the second protector(DNGuard HVM),i don't know how to unpack it! 

 

I want someone to do......

 

UnPackMe_UnPacked1.rar

CodeCracker knows.


:)


Over the unprotected file posted by je9rry:


- I've got to jump the .idata section to the .text section,


After that reconstruct import table using Universal Fixer.


(all ".NET" should be unmarked )


- I've got to set the "IL only" flag from .NET Directory.


- I've got to fix the entry point


After that unpack it using DNGuardHVMUnpacker.


 


Unverifiable PE Header/native stub.

The module 'D:\DNG\UnPackMe_UnPackedSetup1_s_fix_unpackedz.exe' was expected to contain an assembly manifest.

Edited by CodeCracker

The above error is annoying! The assembly won't start!


I could make it work only by decompiling with ildasm.exe


and compiling with ilasm!


Unpacked file attached!


 


UnPackMe_UnPackedSetup1_unpacked.zip

@ je9rry   now CodeCracker sharing how to unpack DNGuard HVM ,so  could you sharing how to unpack Shielden ? i know you are


Willing to share happiness with us :prop: 


@codecracker  good job! 


- I've got to jump the .idata section to the .text section,    


 cann't  understand this  step. Please more detail .Thanks! :please: 


  • Author

@CodeCracker you are a super star in China. many people in my country has heard of you!


 


Pretty good,  great man and know how to share!


 


I'm your fans!


Edited by 381400744

  • Author

@Falcon_2015 Unpacking shielden is a simple thing!


 


1.Dump it in memory!


 


2.All of sessions the raws overflow,you should repair them!


Edited by 381400744

@codecracker  good job! 

- I've got to jump the .idata section to the .text section,    

 cann't  understand this  step. Please more detail .Thanks! :please: 

You must join the .idata section to the .text section:

I've used CFF Explorer:

- add to Virtual Size of ".text" section the Virtual Size of ".idata" section

- add to Raw Size of ".text" section the Rawl Size of ".idata" section

- delete the .idata section - header only

- set the Import Directory RVA to a good place so UniversalFixer could fix imports!

Unverifiable PE Header/native stub.

The module 'D:\DNG\UnPackMe_UnPackedSetup1_s_fix_unpackedz.exe' was expected to contain an assembly manifest.

Could you please share the file that's having this error? I'm interested in finding out what's causing it. ;)

@Falcon_2015 Unpacking shielden is a simple thing!

 

1.Dump it in memory!

 

2.All of sessions the raws overflow,you should repair them!

 

Hi 381400744:

 

    Before ,i unpack some Shielden EXE ,but i used same method to Dump and fixed this UnpackMe ,i'm failed , pls give me some guide(did you fix other part with CFF)

and do you unstander CodeCracker said Tutorial,if you Understand how to unpack your UnpackMe ,pls sharing , 

 

you said :Giveng the people rose,the hand have lingering fragrance :prop: 

 

post-86376-0-51864800-1426249300_thumb.j

 

post-86376-0-79256000-1426249320_thumb.j

 

post-86376-0-73495900-1426309229.jpg

Edited by Falcon_2015

@kao:


The error comes after unpacking with DNGuardHVMUnpacker!


File attached!


 


UnPackMe_UnPackedSetup2_fix_unpackedz.zip

  • Author

@Falcon_2015 


 


please contact me whith QQ International .


 


My QQ number: 381400744


 


Edited by 381400744

@CodeCracker   


I follow these steps:


- add to Virtual Size of ".text" section the Virtual Size of ".idata" section   ------- C2000+2000


- add to Raw Size of ".text" section the Rawl Size of ".idata" section       --------6000+2000


- delete the .idata section - header only   ------------------do it 


then  save file ,open it .found the import directory is empty .how to deal with it?

  • Author

@je9rry


 


when you changed the section !


 


 


you should to rebuild import directory.......

@381400744  I get it .thanks!


 


@codecracker  but i don't know how to  fix the entry point .so the DNGunpacker cann't upack it .


error message: two more TLS's IAT .


 


Can you give some advice . Thanks for your reply!


UnPackMe_UnPacked_fix.rar

Edited by je9rry

@jerry mark ilcode box 


 


i dont know i dump exe failed to decrypt string 


Unpacked3.zip

@codecracker  but i don't know how to  fix the entry point .so the DNGunpacker cann't upack it .

error message: two more TLS's IAT

Find a suitable place for entry point (free 00... spaces)

The entry point should look like this:

FF2500204000

(jmp dword ptr FTs (IAT).

 

Thanks works great . 


@jerry can you share the se unpack tut cause my unpacked string crashes 


 


jerry exe unpacked with codecracker tut 


UnPackMe_UnPacked_fix_fix_unpackedz_Final.zip

Edited by Death

  • Solution

Finally done as full 


Here is tutorial how to unpack proper 


 


Edited :


 


1. Dump net from process module [ can use dotnet dumper ] 

2. remove .hvmRunt + .rsrc + .HVMRunt Delete ( header and data ) use cff

3. Find corExe by cff in string mod and find comfortamble location copy the rva use that on Impordirection RVA [CFF]

3. Use universal fixer without mark .net and fix [ For fix the mscoree.dll with corExe place in correct location ]

4. Use Cff and copy the virtualize dowrd address from section header[x] .text 

5. .Net direction flags value should be 0003 [ilcode mark]

6. use Dnguard Unpacker 

7. for run use ilasm and ildasm 

 

it is all at long last .

 

End of the game ....

 

 

Attached Unpacked4 Final Tutroial 

Unpacked4_Tutroial.zip

Edited by Death

Thank all of guys~~~~


@Death  Nice !!! :prop:    Thank you for sharing


Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.